COLUMBIA — A former state senator expanded his lawsuit Monday over the hacking of millions of South Carolina tax returns to include a separate state agency and private data security company.
Spartanburg attorney John Hawkins added Trustwave and the Division of State Information Technology to a lawsuit he filed last week over the massive security breach at the state’s tax collection agency.
The former Republican senator claims the company hired by the Revenue Department for computer security failed to protect taxpayers’ data.
Trustwave has “violated and failed to comply with the duties imposed upon them to encrypt data and to expeditiously disclose the breach of security,” the lawsuit reads.
The state has used the international company since 2005. A Revenue spokeswoman was unable to provide by Monday evening what the agency paid the company for services or specify what its contract covered.
A Trustwave spokesman declined to comment, citing company policy on pending legal matters.
Hawkins initially sued Gov. Nikki Haley, the Department of Revenue and its director for negligence. The lawsuit seeks class-action status.
State officials announced Oct. 26 that 3.6 million personal income tax returns filed since 1998 were compromised by an international computer hacker. Last week, Haley said up to 657,000 business filings also were exposed. Experts said it may be the largest cyber-attack against a state tax department in the nation’s history.
The data was extracted Sept. 13 – the last of several system intrusions since August. State officials did not learn of the breach until Oct. 10, when the Secret Service informed state law enforcement, said revenue department director Jim Etter.
He told senators a week ago that agency officials believed taxpayers’ data was protected based on consistent monitoring from a third-party contractor, which scanned the agency’s system on Sept. 14 and Oct. 14 and found no external vulnerabilities.
“Obviously, that was not the case,” he said during a hearing on the breach. Revenue spokeswoman Samantha Cheek confirmed Monday that Etter was referring to Trustwave.
The revenue agency has been criticized for not using free monitoring services offered by the Budget and Control Board’s information technology division.
Cheek said the agency needed to use a company in compliance with Payment Card Industry security standards, to be able to process taxpayers’ credit cards – something the state division didn’t offer.
“Therefore, we were required to use a third-party vendor that was PCI compliant in order to safeguard financial data,” Cheek said.
She acknowledged, however, that her agency could have also used state IT monitoring services.
Its installed network sensors monitor traffic to identify unusual activity and alert customers to a potential problem, said Budget and Control Board spokeswoman Lindsey Kremlick.
Those customers include 82 school districts, 15 counties, 15 public libraries, nine cities, five utilities and 54 state agencies. Revenue became No. 54 on Oct. 20, Kremlick said.
That’s the date Etter said the agency closed the breach. Officials have declined to say what hole was closed or what that entailed.
Hawkins said he included the state IT division in the lawsuit because the data was extracted through its system.
“Goodness knows how many gigabytes went out over the trunk of DSIT lines,” he said. “It takes time to move that much data, and it happened over DSIT’s backbone. ... It was a systematic failure across all of these agencies and Trustwave.”
A Budget and Control Board spokeswoman declined to comment on the lawsuit, saying the agency had not been served.
State law limits the liability of public agencies in negligence cases to $600,000 per occurrence. This means that if a judge considered the hacking to have been a single event and 3.6 million individuals sued the Department of Revenue and won, their maximum takeaway would be just $0.16 apiece.
Hawkins argues his case is covered by a separate law that provides a fine of up to $1,000 for each resident whose information is breached. Whatever a judge decides on that front, the liability limit does not apply to private companies such as Trustwave.